The present invention relates to a method for controlling computer network security.
Firewalls and intrusion detection systems are devices that are used to protect a computer network from unauthorized or disruptive users. A firewall can be used to secure a local area network from users outside the local area network. A firewall checks, routes, and frequently labels all messages sent to or from users outside the local area network. An intrusion detection system (IDS) can be used to recognize suspicious patterns of behavior in a communication system. Examples of an intrusion detection system include a network intrusion detection system (NIDS) and a host intrusion detection system (HIDS). A NIDS can be used to examine information being communicated within a network to recognize suspicious patterns of behavior. A HIDS can be used to examine information being communicated through a particular host computer within a network to recognize suspicious patterns of behavior. Information obtained by the intrusion detection system (IDS) can be used to block unauthorized or disruptive users from accessing the network.
Either a firewall or an intrusion detection system can create log records that record incoming and outgoing events into or out of a network. Log records can include events such as security violations, bandwidth usage, email usage, and employee access to the Internet. Typically, these log records are reviewed by network security administrators in order to detect attempted security breaches or to find trends in traffic patterns. Since the number of log records is typically quite large, query languages are often used to analyze the log records to detect attempted security intrusions. Query languages can also be used to analyze the log records and generate reports summarizing these log records for the network administrator. These reports can be used by the network administrator to respond to a recognized network security intrusion. Query language instructions operating on log records can also be used to generate alerts for the network administrator. Since the number of log records can be quite large, the network security solutions utilizing query language instructions to analyze the log records can be slow. Query language based solutions can be slow when all the log records are analyzed every time a new query is received.